b"               OFFICE OF\n               INSPECTOR\n               GENERAL\n               UNITED STATES POSTAL SERVICE\n\n\n\n\n                     Availability of\n                 Critical Applications\n\n                        Audit Report\n\n\n\n\n                                         September 25, 2013\n\nReport Number IT-AR-13-008\n\x0c                                                                    September 25, 2013\n\n                                                                             Availability\n                                                                of Critical Applications\n\n                                                           Report Number IT-AR-13-008\n\n\n\nBACKGROUND:\nTo align with its 2013 plan, the U.S.         terminals disconnected from the network\nPostal Service is striving to expand its      to the designated help desk. Employees\nbusiness by increasing the availability of    are not properly following policy or\nits critical applications to its customers.   receiving formal communication\nThis expansion is being met through           materials on reporting POS terminal\ntechnology and process enhancements           outages. Further, the Postal Service\nof critical business system performance.      does not monitor the availability of POS\n                                              terminals during business hours or track\nOur objective was to assess the               how long terminals are unavailable. No\navailability of critical Postal Service       group has been assigned to conduct\napplications and related monitoring           real-time monitoring or to develop and\nactivities, and we judgmentally selected      maintain reports and metrics on the\nfour critical applications for review \xe2\x80\x94       availability of POS terminals, unlike the\nFacility Access and Shipment Tracking,        other critical applications we reviewed.\nusps.com, Point-of-Service (POS)\xe2\x80\x93\nRetail, and PostalOne!\xe2\x80\x93Business               In fiscal year\nCustomer Support System. We did not                                        . We\nassess customers' experiences with the        identified annual revenue at risk totaling\nservices provided by these applications.      $809,403 related to 92 outages from\n                                              February through May 2013.\nWHAT THE OIG FOUND:\nThe Postal Service is proactive in            WHAT THE OIG RECOMMENDED:\nmonitoring the Facility Access and            We recommended the Postal Service\nShipment Tracking, PostalOne!-                develop, and require POS users to\nBusiness Customer Support System,             review, updated guidance on system\nand usps.com applications to ensure           outages, and immediately report all\nthey meet established availability            outages to the designated help desk.\ntargets. It has implemented and               We also recommended management\ncontinues to update processes that            assign a group to conduct real-time\nmaintain incident, change, and                monitoring and develop a process for\navailability data.                            timely reporting of outages. The Postal\n                                              Service should also maintain reports\nHowever, the Postal Service has not           and metrics on the availability of POS\nbeen as effective in ensuring that its        terminals.\nPOS terminal operations meet\navailability targets. Employees at Postal     Link to review the entire report\nService sites do not always report\n\x0cSeptember 25, 2013\n\nMEMORANDUM FOR:              JOHN T. EDGAR\n                             VICE PRESIDENT, INFORMATION TECHNOLOGY\n\n                             KELLY M. SIGMON\n                             VICE PRESIDENT, CHANNEL ACCESS\n\n                             EDWARD F. PHELAN\n                             VICE PRESIDENT, DELIVERY AND POST OFFICE\n                             OPERATIONS\n\n\n\n\nFROM:                        John E. Cihota\n                             Deputy Assistant Inspector General\n                              for Financial and Systems Accountability\n\nSUBJECT:                     Audit Report \xe2\x80\x93 Availability of Critical\n                             Applications (Report Number IT-AR-13-008)\n\nThis report presents the results of our audit of the Availability of Critical Applications\n(Project Number 12XG033IT000).\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Paul L. Kuennen, director,\nInformation Technology, or me at 703-248-2100.\n\nAttachment\n\ncc: Corporate Audit and Response Management\n\x0cAvailability of Critical Applications                                                                               IT-AR-13-008\n\n\n\n\n                                               TABLE OF CONTENTS\n\nIntroduction ..................................................................................................................... 1\n\nConclusion ...................................................................................................................... 2\n\nAvailability and Monitoring of Facility Access and Shipment Tracking, PostalOne!-\n   Business Customer Support System, and usps.com ................................................ 2\n\nPoint-of-Service Terminal Operations ............................................................................. 3\n\nPoint-of-Service Monitoring Activities During Customer Business Hours ........................ 4\n\nRecommendations .......................................................................................................... 5\n\nManagement\xe2\x80\x99s Comments .............................................................................................. 6\n\nEvaluation of Management\xe2\x80\x99s Comments ......................................................................... 7\n\nAppendix A: Additional Information ................................................................................. 9\n\n   Background ................................................................................................................. 9\n\n   Objective, Scope, and Methodology .......................................................................... 12\n\n   Prior Audit Coverage ................................................................................................. 13\n\nAppendix B: Other Impacts ........................................................................................... 14\n\nAppendix C: Management\xe2\x80\x99s Comments ........................................................................ 15\n\x0cAvailability of Critical Applications                                                                     IT-AR-13-008\n\n\n\n\nIntroduction\n\nThis report presents the results of our self-initiated audit of the availability of the\nU.S. Postal Service's critical applications (Project Number 12XG033IT000). Our audit\nobjective was to assess the availability of critical Postal Service applications and related\nmonitoring activities. See Appendix A for additional information about this audit.\n\nThe Postal Service is committed to building a solid foundation of service and operational\nexcellence with new gains in service and efficiency. This commitment is driven by an\noverriding principle that the Postal Service exists to serve the customers for whom its\nservices and operations were created. Therefore, it is imperative that key Postal Service\nsystems are reliable and available to support the business and mission critical functions\nthat will provide and promote increased service and efficiency.\n\nThe Postal Service is striving to expand its business by providing increased availability\nof its critical applications. Availability ensures there is timely and reliable access to\ninformation resources1 for authorized users or other systems when required. Improving\nsystem reliability involves extreme scalability2 of information technology (IT) platforms to\ndeliver increased availability and support. The target availability level for most\napplications is 99.7 percent and, as of January 2013, the target availability level for\nonline applications increased to 99.9 percent.\n\nWe focused on four critical3 applications that support operations and services \xe2\x80\x94 Facility\nAccess and Shipment Tracking (FAST),4 Point-of-Service (POS)\xe2\x80\x93Retail,5\nPostalOne!\xe2\x80\x93Business Customer Support System (BCSS),6 and usps.com.7 Although we\nassessed availability and terminal outage data on the four applications, we did not\nassess customers' experiences with the services provided by these applications.\n\n1\n  Information resources include such things as systems and equipment, single-user computer equipment, hardware,\nsoftware, data and information, and products and services.\n2\n  The ability of a computer application or product to continue to function well when it is changed in size or volume in\norder to meet a customer's needs.\n3\n  According to the Postal Service\xe2\x80\x99s own Business Impact Assessments, these applications are deemed critical.\nCriticality reflects the need for continuous availability of information.\n4\n  FAST is the external scheduling and notification engine for drop ship customers and sending automatic updates to\nFAST users. Currently, FAST has no impact on the Postal Service's financial reporting.\n5\n  POS is also referred to as POS ONE. The POS terminal is the primary hardware and software system used to\nconduct sales transactions during the Post Office's check-out process. The system is a retail program that plays a\nmajor role in reaching Postal Service goals for improving customer service and empowers front-line personnel to\ndeliver the level of service and satisfaction that customers expect and demand. In fiscal year\ngenerated over                  in revenue.\n6\n  PostalOne!-BCSS provides mailers with an efficient, cost-effective, and seamless process from mail preparation to\nmail delivery; facilitates the integration of mailer and Postal Service business processes to expedite and better\nsupport mail acceptance and operations; and offers businesses the capability for electronic access, electronic\ndocumentation, business mail management, and electronic payment. In                                      generated over\n             in revenue.\n7\n  usps.com is the home page of the Postal Service's external website and provides customers with an online, one-\nstop shopping experience. From January 2012 to April 2013, usps.com recorded over 12 million visits to its website\nper day.\n                                                                1\n\x0cAvailability of Critical Applications                                                                      IT-AR-13-008\n\n\n\nConclusion\n\nThe Postal Service is proactive in its efforts to monitor the FAST, PostalOne!-BCSS,\nand usps.com applications to ensure they meet established availability targets. Overall\navailability rates for these systems have ranged from 99.81 to 99.93 percent.\nManagement implemented \xe2\x80\x94 and is continuing to update \xe2\x80\x94 the monitoring processes\nand tools8 that maintain incident, change, and availability data.\n\nHowever, the Postal Service has not been as effective in ensuring that its POS terminal\noperations meet availability targets. Specifically, employees at Postal Service sites did\nnot always promptly or properly report POS terminals that were disconnected from the\nnetwork to the designated help desk or identify the reasons for these outages. In\naddition, the Postal Service was not effectively monitoring the availability of POS\nterminals during customer business hours, unlike the other applications we reviewed.\nFurther, the Postal Service did not have a mechanism to determine the duration of POS\nterminal outages and to ascertain whether POS is meeting the Postal Service's\navailability target level. As a result, we identified annual revenue at risk totaling\n$809,403 related to POS outages. See Appendix B for additional details.\n\nAvailability and Monitoring of Facility Access and Shipment Tracking,\nPostalOne!-Business Customer Support System, and usps.com\n\nThe Postal Service is proactive in its efforts to monitor the FAST, PostalOne!-BCSS,\nand usps.com applications. Although external issues outside the Postal Service's\ncontrol can occur,9 management monitors these critical applications to ascertain that it\nmaintains availability targets10 and addresses issues immediately. Our analysis of\navailability data indicates these applications met established targets,11 with availability\nlevels ranging from 99.81 percent to 99.93 percent from FY 2011 through April 2013, as\nnoted in Table 1.\n\n                   Table 1. Application Availability \xe2\x80\x94 FY 2011 to April 2013\n\n              Application Name                     Total Outage Hours                         Availability\n           FAST                                            73                                  99.81%\n           PostalOne!-BCSS                                 48                                  99.87%\n           usps.com                                        37                                  99.93%\n          Source: CSR data.\n\n\n\n\n8\n  The Postal Service is replacing the application that manages change and incident issues (Remedy Information\nTechnology Service Management [RITSM]) to a system (Remedy Incident and Change Management) with the\ncapability of tracking incidents, problems, changes, known errors, work arounds, and IT system releases.\n9\n  On June 19, 2013, an external Internet issue occurred which affected some services provided externally through\nusps.com; however, this issue did not adversely impact availability targets.\n10\n   Information on critical applications identified on the Chief Information Officer (CIO) Watch List is maintained in the\nCIO Scorecard Reporting System (CSR). The CSR application provides scorecards for measuring performance to the\nCIO organization.\n11\n   As of January 2013, the target availability level for online applications changed from 99.7 to 99.9 percent.\n\n\n                                                           2\n\x0cAvailability of Critical Applications                                                               IT-AR-13-008\n\n\n\nThe Enterprise Systems Monitoring (ESM) group uses several monitoring tools12 to\nidentify system outages and has implemented an immediate response system for\nnotifying appropriate stakeholders to triage and resolve outage issues. In addition,\nmanagement implemented an effective process for overseeing, documenting, and\nreporting the daily performance, availability, and origin of outage issues associated with\nthese critical applications.\n\nOur review of change, incident, and availability data revealed that management can\nimprove the documentation process to enable consistent and accurate tracking and\ntrend reporting. However, the IT Performance Achievement and IT Strategy and\nCompliance groups13 are updating their processes and tools that maintain incident,\nchange, and availability data. In addition, improvements are underway for monitoring\nand collecting availability data on critical applications.14 Therefore, we did not make any\nrecommendations in this report, but encourage management to continue their efforts\nregarding these matters.\n\nPoint-of-Service Terminal Operations\n\nEmployees at Postal Service sites do not always promptly or properly report POS\nterminals that are disconnected from the network15 to the designated help desk. In\nreconstructing the POS terminal outage information, we determined there were at least\n92 POS terminals disconnected from the network during an 8-week period from\nFebruary through May 2013.16 The minimum outage timeframes17 for these POS\nterminals ranged from 2 to 22 days. Sixty-five of these 92 terminals (or 71 percent) did\nnot have help desk tickets within the RITSM18 application noting the outage, and the\nRetail Business Technology group19 did not provide a help desk ticket for these\n65 terminal outages. Further, they could only identify the current status for six of 92 of\nthe disconnected terminals (or 7 percent).\n\n\n\n\n12\n   ESM, under the IT Performance Achievement group, uses the Webmetrics and TMART tools to monitor critical\nPostal Service applications.\n13\n   See Appendix A.\n14\n   The IT Performance Achievement group recently implemented and is continuing to develop its IT Service\nManagement (ITSM) program. The program is the coordinated design, implementation and operation of several\nwidely accepted frameworks, methods, and standards for continuous service improvement of the IT enterprise.\n15\n   POS terminals disconnected from the network or that do not respond to a ping are considered terminal outages in\nthis report.\n16\n   We requested FY 2011 through May 2013 outage information on POS terminals; however, the Postal Service could\nonly provide information for 8 non-consecutive weeks from February through May 2013.\n17\n   We determined the minimum outage timeframes based on the last reported Enterprise Desktop Manager (EDM)\nconnection date to the date of Retail Business Technology emails sent to the site inquiring about the outage. The\nactual POS outage time was likely more than the outage timeframes. A program runs on the POS terminals when the\nsystem is booted nightly and connects to the EDM system. The last EDM connection is tracked to identify machines\nwhich have not connected to the network.\n18\n   RITSM (Version 5) contains problem management (help desk) and change management modules.\n19\n   This group manages the POS terminals to support retail business needs related to providing customers with easy\naccess to products and services, customer service, data transactions, and policies.\n\n\n                                                        3\n\x0cAvailability of Critical Applications                                                                IT-AR-13-008\n\n\n\nPostal Service policy20 states that if a POS terminal becomes unavailable, including\ntime spent in a degraded mode,21 the help desk should be notified and a ticket opened.\nPolicy also states that all problems must be recorded to capture the issues, identify the\nroot causes, provide quick resolution, and minimize the business impact on\noperations.22\n\nThis occurred because sites are not properly following policy to report POS terminal\noutages to the designated help desk. Also, the Retail Business Technology group is not\nproviding sufficient guidance23 on outage issues, including how and when to report POS\nterminal outages.\n\nTimely resolution of POS terminal outages assists in restoring the ability to process\ndebit and credit card transactions and reducing overall customer wait times. Also, the\ninability to process debit and credit card transactions could result in a reduction in the\nannual                      generated revenue. We identified annual revenue at risk\ntotaling $809,403 relating to POS outages. See Appendix B for additional details.\n\nPoint-of-Service Monitoring Activities During Customer Business Hours\n\nThe Postal Service is not effectively monitoring the availability of POS terminals during\ncustomer business hours. Policy states that managers must ensure that information\nresources are available and continuously monitored.24 The Desktop Computing25 group\npings26 the POS terminals and compiles a daily State of Health report,27 and the EDM\nprocess28 gathers information nightly on the POS terminals\xe2\x80\x99 last EDM connection.\nHowever, during customer business hours, management cannot assess the availability\nof POS terminals because there is no real-time monitoring that alerts management of\nPOS terminal outages or terminals operating in degraded mode. Also, management\ndoes not have a way to track how long POS terminals are unavailable or if POS is\nmeeting the Postal Service\xe2\x80\x99s availability target level.29\n\n\n\n\n                                       POS ONE Procedures Guide, Section 14, Degraded/Stand-Alone Mode, dated\nJanuary 15, 2013; and Management Instruction PO-130-2003-1, POS One Manual Workaround: Business\nContingency and Continuity Plan Documentation, pages 9-10, dated August 18, 2003.\n21\n   When a terminal goes into a degraded mode, there is no connectivity and it cannot accept debit and credit card\ntransactions.\n22\n   Problem Management Policy, Version 1.0, page 1, dated August 17, 2012; and Problem Management Process,\nVersion 1.0, pages 1-4, dated August 17, 2012.\n23\n   There is online training, which covers three areas (POS One Front Office Web-Based; POS One Back Office\nAdministration; and POS One Back Office Close-Out); however, the training does not include important details on\nhow and when to report outages and this information is not communicated regularly to the sites.\n24\n   Handbook AS-805, Information Security, Section 2-2.10, Officers and Managers; Section 9-9, Availability; and\nSection 9-9.6, High Availability, dated July 2012.\n25\n   See Appendix A.\n26\n   Each script that collects data from a POS terminal begins with a ping to ensure the target machine is reachable.\n27\n   The State of Health report contains data on all POS terminals nationwide and is used as a post-review of the POS\nenvironment as captured during the daily ping process.\n28\n   A program runs on the POS terminals when the system is booted nightly and connects to the EDM system. The last\nEDM connection is tracked to identify machines which have not connected to the network.\n29\n   The current target availability level for critical applications is 99.7 percent.\n\n\n                                                        4\n\x0cAvailability of Critical Applications                                                                      IT-AR-13-008\n\n\n\nThis occurred because there is no group assigned to conduct real-time monitoring and\nreporting of POS terminal outages to the designated help desk and no one is tasked\nwith developing and maintaining metrics on the availability of POS terminals over time.30\nWithout timely detection and resolution of POS terminal outages, the Postal Service\ncould be losing revenue and access to services.\n\nThe Postal Service plans to deploy new software31 for POS terminals in January 2014.\nAlthough recommendations in this report are specific to POS, the POS monitoring and\navailability issues identified relate to Postal Service POS retail operations and are\napplicable to the new software. Therefore, we encourage the Postal Service to\nstrengthen POS monitoring and reporting capabilities during the planning and\nimplementation process for the new replacement software.\n\nRecommendations\n\nWe recommend the vice president, Channel Access, direct the manager, Retail\nBusiness Technology, to:\n\n1. Develop guidance for all Point-of-Service (POS)\xe2\x80\x93Retail associates on responding to\n   an outage or a POS terminal in degraded mode.\n\nWe recommend the vice president, Delivery and Post Office Operations:\n\n2. Provide the guidance developed by the Retail Business Technology group for Point-\n   of-Service (POS)\xe2\x80\x93Retail users on how to respond to an outage or a POS terminal in\n   degraded mode.\n\n3. Document and provide oversight to ensure users of Point-of-Service\xe2\x80\x93Retail\n   terminals at all Postal Service sites immediately report all terminal outages and\n   issues to the designated help desk.\n\n\n\n\n30\n   As a result of this audit, the Supply Management group commissioned the vendor to obtain metrics needed to\ncalculate POS availability for the past year.\n31\n   Retail Systems Software (RSS) will replace various established retail solutions, including the software currently in\nthe POS terminals.\n\n\n                                                            5\n\x0cAvailability of Critical Applications                                                 IT-AR-13-008\n\n\n\nWe recommend the vice president, Channel Access, in coordination with the vice\npresident, Information Technology:\n\n4. Assign responsibility for conducting real-time monitoring of Point-of-Service\xe2\x80\x93Retail\n   terminals and developing a process for timely reporting outages and degraded\n   issues.\n\n5. Develop and maintain metrics and reports on the availability of Point-of-Service\xe2\x80\x93\n   Retail terminals over time.\n\nManagement\xe2\x80\x99s Comments\n\nManagement neither agreed nor disagreed with the findings and recommendation 5;\ndisagreed with recommendations 1, 3, and 4; and agreed with recommendation 2.\n\nRegarding recommendation 2, management agreed to remind employees of the proper\nprocedures on how to respond to an outage or POS terminals in degraded mode. The\ntarget date for this reminder is October 30, 2013.\n\nRegarding recommendation 1, management noted the existence of guidance in the form\nof FAQs (frequently asked questions), procedures, guides, and contingency plans.\n\nRegarding recommendation 3, management stated the data provided to the U.S. Postal\nService Office of Inspector General (OIG) indicates that employees call the help desk\nwhen there is an issue, substantiating their awareness of procedures.\n\nRegarding recommendation 4, management indicated that end users are an effective\nway to monitor POS and enable the help desk to effectively and efficiently troubleshoot\nand resolve issues. They also stated that real-time monitoring represents a major effort;\nit is not feasible to run the current technical capability used in support of POS more than\nfive times per day under normal conditions; and implementing a real-time monitoring\nsystem would be costly and the benefits not justifiable.\n\nRegarding recommendation 5, management noted they currently use a help desk ticket\ncase rate to measure issues with POS. Management reviews the case rate quarterly\nwith the vendor to continuously improve system availability.\n\nManagement also noted that our audit methodology did not measure the POS\napplication, but rather factors that may affect the full functionality of retail point of sale.\nManagement also noted that the report did not take into account terminals that were\nunavailable due to planned reasons and that their summary information identified help\ndesk tickets for many of the terminal outages. See Appendix C for management\xe2\x80\x99s\ncomments, in their entirety.\n\n\n\n\n                                                6\n\x0cAvailability of Critical Applications                                             IT-AR-13-008\n\n\n\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe OIG considers management\xe2\x80\x99s comments responsive to recommendation 2 and the\ncorrective action should resolve the issue identified in the report.\n\nWe consider management\xe2\x80\x99s comments regarding recommendations 1, 3, 4, and 5 to be\nnon-responsive. The intent of recommendation 1 is to ensure direct, detailed, and\nperiodic communication is developed for reporting POS terminal outages timely. This\ncould include important details on how and when to report outages and how often\ninformation is communicated to the sites.\n\nRegarding recommendation 3, the data provided did not show that all POS terminal\noutages had a corresponding help desk ticket. Also, we examined the additional data\nprovided after our exit conference and could not use it for report purposes because of\nerrors in the data. As such, we reported our findings based on the supporting evidence.\n\nRegarding recommendation 4, we believe management cannot solely rely on end users\nfor monitoring availability because all outages do not have a help desk ticket. Also,\nwhile we understand there is a cost to real-time monitoring, the benefit of monitoring\nmore than five times per day may be beneficial for ensuring that all POS terminal\nservices and tender types are provided to Postal Service customers in a timely manner.\n\nManagement\xe2\x80\x99s response to recommendation 5 did not address the intent of the\nrecommendation, which was to maintain metrics on the availability of the POS terminals\nover time. While we understand they have a help desk ticket case rate, this does not\nmeasure the availability of POS terminals, but only reflects the outage category for\nreported help desk tickets. Management does not maintain a metric that is in line with\nDelivering Results, Innovation, Value, and Efficiency (DRIVE) Initiative 19, which targets\nmeeting availability requirements for critical applications. Also, management does not\ngenerate POS outage reports which reflect the unavailability of POS terminals.\n\nRegarding management\xe2\x80\x99s comments about our audit methodology, we disagree. As\nstated earlier in this report, our objective was to assess the availability of four critical\nPostal Service applications (including POS) and the related monitoring activities. We\nunderstand the POS application alone cannot provide the full functionality of services\ncustomers expect at the retail counters (use of all tender types) without the availability\nof the network and hardware. Therefore, the availability of all point of sale components\ntogether enable the availability of point of sale services to Postal Service customers.\nDuring our review we requested, but did not receive, information to explain the reasons\nfor the POS terminal outages identified and were told this information was not\nmaintained or available. Therefore, we relied on help desk tickets in Remedy; however,\nthe data did not correlate with the data we had on the terminal machines (POS terminal\nmachine name). Further, the additional information provided in the summary document\nduring our exit did not correlate with the information gathered during our audit. As a\n\n\n\n\n                                              7\n\x0cAvailability of Critical Applications                                        IT-AR-13-008\n\n\n\nresult, we reported our findings based on supporting evidence (as discussed in our\nresponse to recommendation 3).\n\nThe OIG considers recommendation 2 significant,and, therefore, requires OIG\nconcurrence before closure. Consequently, the OIG requests written confirmation when\ncorrective action is completed. This recommendation should not be closed in the Postal\nService\xe2\x80\x99s follow-up tracking system until the OIG provides written confirmation that the\nrecommendation can be closed. Due to the small percentage of terminal outages, we do\nnot plan to elevate significant recommendations 1, 3, 4, and 5 for formal audit\nresolution.\n\n\n\n\n                                           8\n\x0cAvailability of Critical Applications                                               IT-AR-13-008\n\n\n\n\n                                   Appendix A: Additional Information\n\nBackground\n\nThe Postal Service\xe2\x80\x99s 2013 plan32 focuses on strengthening core operations and\nservices, while recognizing that its sole existence is to serve its customers. This\ninvolves services that allow customers to shop more efficiently and provide innovative\nsolutions that meet their business or personal needs. It also involves leveraging Postal\nService strengths by building on the reach and capability of its network and making full\nuse of the power of information to enhance its services.\n\nCurrently, the Postal Service is striving to expand its business with customers by\nproviding increased availability of its critical applications. The target availability level for\nmost applications is 99.7 percent and for online applications is 99.9 percent. The DRIVE\ninitiative consists of 24 initiatives for improving business strategies while providing\nstreamlined reporting and accountability. Initiative 19,33 assigned to the IT group, targets\nmeeting evolving critical business system scalability, performance, and availability\nrequirements through technology and process enhancements. IT groups assisting in\nthis initiative include:\n\n\xef\x82\xa7      IT Performance Achievement\n       Responsible for elevating availability, capacity, and performance transformation to\n       99.9 percent; and identifying an extreme scale computing roadmap for achieving\n       more than 99.9 percent availability. Typically this group oversees incident and\n       change management (including the IT service desk), capacity and performance,\n       enterprise system monitoring, problem management processes, and related policies.\n       This group recently implemented the ITSM process, which is the coordinated design,\n       implementation, and operation of several widely accepted frameworks, methods,\n       and standards as part of an enterprise IT continuous service improvement program.\n\n\xef\x82\xa7      ESM\n       Reports directly to IT Performance Achievement and provides IT customers with\n       both infrastructure and application monitoring services for distributed systems. They\n       also provide incident management and operations support services for system\n       administrators and application support staff. In addition, they provide\n       24 hours a day/7 days a week monitoring, notification, information, and operations\n       support services. Although they monitor PostalOne!-BCSS, FAST, and usps.com,\n       they do not monitor the POS terminals.\n\n\n\n\n32\n     Vision 2013, Five-Year Strategic Plan for 2009-2013, dated October 2008.\n33\n     DRIVE 19, Achieve Six Sigma IT System Reliability.\n\n\n                                                           9\n\x0cAvailability of Critical Applications                                                                  IT-AR-13-008\n\n\n\n\n\xef\x82\xa7      Solutions Development and Support\n       Responsible for baseline IT services, architecture, metrics, and risks, including\n       identification of clear IT value services to business. Specifically, this group is\n       responsible for developing, maintaining, and enhancing of business systems,\n       including overseeing the transition of systems developed by business partners to an\n       internal supported environment and supporting ongoing changes and new\n       functionality.\n\n\xef\x82\xa7      Business Relationship Management\n       Responsible for developing the Postal Service's business services map, business\n       needs targets, and business cases. This involves identifying process governance,\n       architectures, and the component tools of the IT services needed to meet the\n       business needs for a range of best-in-class availability; providing specific cost\n       models and implementation roadmaps for availability models; and determining the\n       roadmap and costs for IT services to achieve the business requirements. Typically,\n       this group is responsible for managing the planning, development, deployment, and\n       maintenance of integrated business systems solutions for Finance, Human\n       Resources, Marketing, Enabling, Field Relations, and other administrative support\n       function customers.\n\n\xef\x82\xa7      IT Strategy and Compliance\n       Responsible for managing the governance and compliance functions for Postal\n       Service IT for quality continuous improvement. They standardize IT processes and\n       procedures, improve IT processes that drive effective service delivery, and align IT\n       programs with approved strategies for integrated results. In addition, they develop,\n       audit, and define compliance against IT policies, procedures, and standards. This\n       group is also responsible for maintaining and providing the USPS Office of the CIO\n       Daily Flash Report34 for key Postal Service applications that are on the CIO Watch\n       List and reported in the CSR system.\n\nPOS, with over 45,000 terminals, is the primary hardware and software system used to\nconduct sales transactions. POS automates retail transactions, enhances the customer\nexperience, and captures transactional data related to products and services sold. As a\nmajor revenue reporting system, POS plays a major role in improving customer service\nand providing employees with the tools required to efficiently and easily provide\nservices. POS terminals can function in stand-alone mode during emergencies and\ntransmit when full network connections are reestablished. Without POS, the Postal\nService would have limited ability to service customers and perform accurate analysis of\nretail activities.\n\nIf a POS terminal is not functioning properly, users should report the issue immediately.\nThis would also include a POS failure or a POS terminal in degraded mode. If a terminal\nis in degraded mode, the retail associate will not be able to accept credit and debit\ncards transactions via the terminal or perform end-of-the-day closeouts. To report an\n34\n     This report is provided to the vice president, IT, to share with the Executive Leadership Team.\n\n\n                                                             10\n\x0cAvailability of Critical Applications                                                             IT-AR-13-008\n\n\n\nissue, a user should contact the designated help desk (currently staffed by a\ncontractor). The help desk troubleshoots the issue and opens a ticket within RITSM.\nThere is no manual process available to cover all of the POS functions; therefore,\ncustomers, business partners, and Postal Service revenue may be impacted if the\nterminals are not fully functional.\n\nThe Postal Service plans to replace the current software on all retail systems, including\nthe POS terminals, with RSS in 2014. RSS will provide employees and business\npartners with tools to perform their jobs, sell retail products, and serve customers more\nefficiently.\n\nGroups with responsibilities related to POS terminal operations and monitoring activities\ninclude:\n\n\xef\x82\xa7    Retail Business Technology35\n     Responsible for managing the development, implementation, maintenance, review,\n     and operation oversight of retail service equipment. The group also manages the\n     lifecycle of multiple platforms of hardware and software solutions such as the POS\n     terminals to support retail business needs related to providing customers with easy\n     access to products and services, customer service, data transactions, and policies.\n     In addition, they manage the Retail Data Mart (RDM),36 including methodologies for\n     analysis and use of the data collected. Retail managers use RDM reports for\n     operations planning, sales, and market analysis to improve management of product\n     inventory, staffing levels, customer service, and overall store performance. The\n     Retail Business Technology group oversees the vendor contract and works directly\n     with the vendor to manage the POS terminals.\n\n\xef\x82\xa7    Desktop Computing37\n     Responsible for supporting the overall POS network by running scripts that ping the\n     POS terminals to determine network connection. In addition, they develop the State\n     of Health reports that provide the overall state of the POS terminals.\n\n\xef\x82\xa7    IT Software, Services, and Retail Systems Category Management Centers38\n     Responsible for managing the contract between the Postal Service and the vendor.\n     The vendor provides support for both the hardware and software of the POS\n     terminals and their help desk troubleshoots any POS terminal-related issues. The\n     help desk uses RITSM, which is the problem tracking and reporting system that is\n     used to keep track of customer reported problems and requests.\n\n\n\n\n35\n   Retail Business Technology is under the Channel Access group.\n36\n   RDM is a data storage system that houses retail customer transaction information from all POS offices. Daily\ntransmittals of data from offices into the RDM enable the retail organization to track and analyze customer\npreferences and purchase trends.\n37\n   Desktop Computing is one of four areas that make up the Enterprise Access Infrastructure group under IT.\n38\n   IT Software, Services, and Retail Systems Category Management Center is under the Supply Management group.\n\n\n                                                      11\n\x0cAvailability of Critical Applications                                                                  IT-AR-13-008\n\n\n\n\nObjective, Scope, and Methodology\n\nOur objective was to assess the availability of critical Postal Service applications and\nrelated monitoring activities. To accomplish our objective, we reviewed policies,\nprocedures, and processes related to problem, incident, and change management as\nwell as the availability of critical systems. We obtained additional information (Business\nImpact Assessment, relevant contracts, solution development release schedules, Yearly\nNational Flash reports, and Pulse Check documents) regarding the in-scope\napplications from officials in the following areas:\n\n\xef\x82\xa7    Channel Access, representing Retail Business Technology and usps.com.\n\n\xef\x82\xa7    Consumer and Industry Affairs, representing Enterprise Customer Care.\n\n\xef\x82\xa7    Delivery and Post Office Operations, representing Customer Services Operations.\n\n\xef\x82\xa7    IT, representing Enterprise Access Infrastructure, Performance and Achievement,\n     Solutions Development and Support, and IT Strategy and Compliance.\n\n\xef\x82\xa7    Mail Entry and Payment Technology and Product Information, representing Address\n     Management.\n\nDuring the survey phase, we obtained and reviewed incident and change data39 from\nRemedy; availability information from the CIO 8-Week Trend, Daily Flash, Weekly IT\nreports and the CSR module; and general and security information documented in the\nEnterprise Information Repository (EIR) system.40 As a result, we judgmentally selected\nfour applications for review \xe2\x80\x94 FAST, POS, PostalOne!-BCSS, and usps.com.\n\nWe also reviewed and responded to information obtained via the OIG blog titled Your\nExperience with the Customer Experience. We also collected and analyzed additional\nincident, change, outage, and availability data41 on the four judgmentally selected\napplications to identify systemic issues related to outages and opportunities for\nimprovement. We analyzed CSR availability data and manual adjustment information42\nto verify availability targets were met for FAST, PostalOne!-BCSS, and usps.com for\nspecific periods from FY 2011 through April 2013. We also analyzed POS terminal\noutages listed in emails to determine whether they had corresponding help desk tickets\nand the reason for the outage. We conservatively calculated the outage duration from\nthe last ping date of the POS terminal to the date the notification email was provided to\n\n39\n   Change and incident data for FY 2011 to January 2013.\n40\n   The EIR provides a centralized storage and access location for standard corporate information resource objects.\n41\n   Change, incident, and outage data on FAST, PostalOne!-BCSS, and usps.com for the period FY 2011 through\nApril 2013 extracted from Remedy, and availability data extracted from the CSR module in the Enterprise Data\nWarehouse. For POS, we obtained change and incident data from Remedy, data on terminal ping results, State of\nHealth reports from the Desktop Computing group, and outage information from the Retail Business Technology\ngroup.\n42\n   We analyzed information on blackout requests, which required adjustments to CSR availability data.\n\n\n                                                         12\n\x0cAvailability of Critical Applications                                                                IT-AR-13-008\n\n\n\nthe area coordinators. We reviewed the Enterprise Data Portal (EDP)43 for pertinent\nPOS information and the Request Time Out and State of Health reports. Although we\nassessed availability and terminal outage data on the four applications and reviewed\ncomments from the OIG blog, we did not assess customers' experiences with the\nservices provided by these applications.\n\nWe conducted this performance audit from September 2012 through September 2013 in\naccordance with generally accepted government auditing standards and included such\ntests of internal controls as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe that the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objective. We discussed our\nobservations and conclusions with management on August 14, 2013, and included their\ncomments where appropriate.\n\nWe assessed the reliability of the reported availability levels of the FAST,\nPostalOne!-BCSS, and usps.com applications by reviewing the detailed outage data\n(including outage dates, time, and duration) from CSR, along with blackout reports for\nFYs 2011 through 2013. We also interviewed agency officials knowledgeable about the\ndata and determined that the data were sufficiently reliable for the purposes of this\naudit.\n\nPrior Audit Coverage\n\nIn our report titled Fiscal Year 2010 PostalOne! Outage (Report Number FF-AR-10-205,\ndated August 5, 2010), we reported that the February 2010 PostalOne! outage impacted\nmail acceptance operations and revenue collection efforts nationwide. Although the\nPostal Service implemented a contingency plan during this period, it was not adequately\nprepared to manually support operations during such an extended outage. In addition,\nemployees did not record revenue for mailings received during this period until the\nsystem returned to full operation. Further, the Postal Service\xe2\x80\x99s reliance on a system that\nhas frequent interruptions in availability could impact successful remediation of an\nexisting significant deficiency related to business mail acceptance. We identified\nmonetary impact totaling $355,107.\n\nWe made two recommendations to update and test the contingency plan to provide for\nthe performance of key mail acceptance procedures in the absence of PostalOne! and\ntest the remediation controls identified to address gaps related to PostalOne!\ninterruptions that affected efforts to remediate the significant deficiency. Management\nagreed with both recommendations.\n\n\n\n\n43\n  The EDP provides information on the POS terminals such as facility location, machine name, last ping date, and\nlast EDM connection date.\n\n\n                                                        13\n\x0cAvailability of Critical Applications                                                                     IT-AR-13-008\n\n\n\n                                        Appendix B: Other Impacts\n\n               Recommendation                        Impact Category                         Amount\n                     3                               Revenue at Risk44                      $2,319,253\n                    4, 5                            Improved Service45                         None\n\nWe estimated revenue at risk of $2,319,253 by calculating the average daily debit and\ncredit walk-in revenue for a POS terminal.\n\n\xef\x82\xa7      We calculated the average debit walk-in revenue for a POS terminal by dividing the\n       total FY 2012 debit tender walk-in revenue of                  by 365 days and by\n       45,853 terminals, which equals          .\n\n\xef\x82\xa7      We calculated the average credit walk-in revenue for a POS terminal by dividing the\n       total FY 2012 credit tender walk-in revenue of                  by 365 days and\n       by 45,853 terminals, which equals          .\n\nWe projected the total revenue at risk for the 8-week period back 2 years and forward\nthrough December 31, 2013 (see Table 2).\n\n                                Table 2: Other Impact, Revenue at Risk\n\n\n                                                       Revenue at\n                                        Average         Risk for               Annual\n      Tender                             Daily          8-Week                Revenue   Total Revenue\n       Type                              Rate            Period                at Risk     at Risk\n       Debit                                                                                $ 798,904\n       Credit                                                                                1,520,349\n       Total                                            $124,523.63            $809,403     $2,319,253\n     Source: OIG calculation.\n\n\n\n\n44\n   Revenue the Postal Service is at risk of losing (for example, when a mailer seeks alternative solutions for services\ncurrently provided by the Postal Service).\n45\n   Initiatives aimed at expanding and improving the quality of and access to products and services that serve the\nentire spectrum of the Postal Service customer base.\n\n\n                                                           14\n\x0cAvailability of Critical Applications                             IT-AR-13-008\n\n\n\n\n                              Appendix C: Management\xe2\x80\x99s Comments\n\n\n\n\n                                             15\n\x0cAvailability of Critical Applications        IT-AR-13-008\n\n\n\n\n                                        16\n\x0cAvailability of Critical Applications        IT-AR-13-008\n\n\n\n\n                                        17\n\x0cAvailability of Critical Applications        IT-AR-13-008\n\n\n\n\n                                        18\n\x0c"